The essentials: NIS2 becomes binding from June 30; security incidents must be reported to authorities within 72 hours.
The NIS2 Directive enters into force on June 30 and introduces new mandatory incident reporting requirements. Organizations in critical sectors must adapt their incident response processes.
With June 30, 2024, the transition period for implementing the European NIS2 Directive (Directive on Network and Information Security) comes to an end. From this date forward, new, stricter requirements for reporting security incidents apply to operators of critical infrastructure and important digital service providers.
The new reporting requirements obligate affected organizations to report security incidents with significant impact immediately, but no later than 72 hours after discovery, to the competent national authorities. This applies in particular to incidents that compromise the availability, integrity, or confidentiality of systems or data. In parallel, affected users must be notified in certain cases.
For CISOs, this means an increase in operational requirements: automated detection mechanisms must be in place to document the exact time of an incident. Additionally, written incident response plans are required that map out the authority reporting process. Communication channels to national cybersecurity agencies and regulators must be clarified and tested in advance.
Organizations should immediately review their existing incident management systems to ensure compliance with the new timelines. Late or missing reports can result in substantial fines.
Source: news.google.com · Published June 11, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification through Lumi News Pipeline v1.6.5.